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METHOD TO DETECT APPLICATION SPOOFING IN MIXED USE AVIONICS 

DISPLAY 



TECHNICAL FIELD OF THE INVENTION 
[0001] The present invention relates to methods of detecting 
application spoofing in a mixed use avionics display, such as a certified flight 
deck display. 

BACKGROUND OF THE INVENTION 

[0002] Airlines rely upon flight manuals, procedural manuals, and other 
manuals in the operation of its aircraft. These manuals are continually being 
revised, modified and supplemented by the airlines to maintain current standards 
for operation of the aircraft. These manuals are carried on the aircraft in paper 
form and are quite extensive in size and weight. The various manuals that are 
used in operating aircraft can weigh 100 pounds or more. Every pound of 
materials carried by an aircraft increases fuel consumption and the cost to 
operate the aircraft. Airlines are constantly looking for ways to reduce their 
operating costs and therefore it is desirable to minimize the weight that must be 
carried by the aircraft. 

[0003] In an effort to reduce the weight of these manuals, airlines are 
increasingly relying upon the use of these manuals in electronic format. The 
manuals are converted into computer applications that are modifiable by the 
airlines, hereinafter referred to as Airline Modifiable Software (AMS). The AMS 
must receive approval from the regulatory agencies that oversee aircraft 
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operation, such as the Federal Aviation Administration. These regulatory 

agencies approve the AMS for use in lieu of the paper manuals. In order to 

utilize the AMS, a display is required that can be viewed by the flight crew at 

various times during the operation of the aircraft. 

[0004] The flight deck on an aircraft has numerous certified flight deck 
displays upon which the AMS could potentially be displayed. However, the AMS 
applications are not certified and are therefore not currently allowed to be 
displayed on a certified flight deck display. As a possible solution, an aircraft 
manufacturer could install additional certified displays on the flight deck that are 
dedicated to displaying the AMS. However, space is extremely limited on the 
flight deck and certified displays are expensive to build and have certified. 
Additionally, certified displays have been shown to not be cost effective when 
limited to non-essential functions, such as the AMS. 

[0005] Another potential problem with using an existing certified flight 
deck display to display the AMS is that the AMS applications must be prevented 
from affecting the safe operation of the aircraft. AMS applications are 
increasingly expected to be provided by sources that are not in or on the flight 
deck. For example, AMS applications can be provided by an airline-controlled 
server which is installed on the airplane. However, the airline-controlled server 
may at times (during flight crew access or not) be connected to off board 
networks. These networks are open and therefore susceptible to malicious 
interference by remote parties that may go undetected. Because these networks 
are open, there is a possibility that a remote party could maliciously interfere with 
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the safe operation of the aircraft by interfering with the displaying of the AMS on 

the existing certified display. For example, the malicious remote party could 

design an application that emulates or spoofs the certified display and have that 

application appear on the certified display with incorrect data instead of the AMS. 

The flight crew would think that the certified display was displaying the 

information for which the display is certified and believe that the inaccurate data 

is true and subsequently affect the safe operation of the aircraft. 

[0006] Therefore, to limit the possibility of malicious interference by 

remote parties airlines have relied upon the use of carry-on personal electronic 

devices (PEDs), such as laptop computers, to run the AMS applications. The 

PED's could avoid the possibility of malicious interference by remote parties if the 

PED's were never connected to open networks. However, most PED's are at 

sometime connected to open networks and, therefore, exposed to malicious 

interference which may not be detected. The use of PEDs are also not without 

substantial drawbacks. As stated above, space is limited on a flight deck and the 

PEDs can interfere with the operation of the flight deck controls, particularly the 

control column. Additionally, the PEDs could present a hazard during turbulence 

in that the PEDs may injure a member of the flight crew or damage equipment. 

Furthermore, PEDs cannot be used during some phases of flight during which it 

may be desirable to have the AMS applications displayed. Finally, some PEDs 

will not be bright enough for sunlit conditions nor dim enough for nighttime use to 

facilitate efficient and comfortable use by members of the flight crew. 
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[0007] Therefore, it would be advantageous to an airline if it could use 
a certified flight deck display to display the AMS applications while preventing or 
at least detecting malicious interference by remote parties. 



[0008] The present invention is directed to a method and apparatus 
that allows the mixed use of a certified avionics display to display information 
received from a non-certified source while allowing the detection of application 
spoofing, in accordance with preferred embodiments of the present invention. 
The method involves providing visual indications on the avionics display that 
alerts a member of the flight crew when the avionics display is being used to 
display information from a non-certified source and, therefore, may not be secure 
and is subject to potential malicious interference by a remote party. 

[0009] In one preferred embodiment, the method comprises the 
providing of an avionics display that has a display area capable of displaying 
information from a non-certified source. Information from the non-certified source 
is provided to the avionics display by a data connection. The information from 
the non-certified source is then displayed on the display area so that less than 
the entire display area is used in displaying the information. Because less than 
the entire display area is used to display the information from the non-certified 
source, a member of the flight crew, when observing the avionics display, will be 
able to visually detect that the avionics display is currently being used to display 
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information from a non-certified source and, as such, is susceptible to malicious 

interference by a remote party. Additionally, because the information is 

displayed on less than the entire display area, any attempt by a remote party to 

emulate or spoof the certified display for which the avionics display is certified 

would appear on less than the entire display area, unlike the certified display 

which appears on the entire display area, and would further indicate that the 

avionics display is not displaying the certified display, but rather is displaying 

information from the non-certified source and that application spoofing is 

occurring. Therefore, a member of the flight crew will avoid being misled by 

application spoofing occurring on the mixed use avionics display and can avoid 

any safety hazards which would have resulted from an undetected application 

spoofing. 

[0010] Optionally, but preferably, the display area is partitioned so that 
at least a portion of the display area can not display the information from the non- 
certified source. The information from the non-certified source would then be 
displayed on less than the entire display area. The partitioning can be 
accomplished by providing the non-certified source of information with a false 
indication of the size of the display area. Because the non-certified source of 
information does not know the true size of the display area, the non-certified 
source is not capable of addressing the entire display area and, therefore, not 
capable of using the entire display area to display the information. Another 
method of partitioning the display area is by providing an avionics display that 
comprises a microprocessor. The microprocessor partitions the display area by 
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limiting the area in which the information from the non-certified source can be 

displayed. Because the display area is partitioned by the microprocessor, 

information being provided from the non-certified source is not capable of being 

displayed on the entire display area and provides a visual indication to the flight 

crew of when the avionics display is displaying information from the non-certified 

source and is vulnerable to application spoofing. 

[0011] In a different aspect of the present invention, the mixed use 

avionics display displays the certified display for which it is certified on the 

display area. The certified display is maintained on the display area while the 

avionics display simultaneously displays the information from the non-certified 

source. The information from the non-certified source is displayed on the display 

area in front of the certified display so that the information is visible on the 

avionics display and at least a portion of the certified display is also visible on the 

avionics display. A member of the flight crew is then able to see both a portion of 

the certified display and the display of the information from the non-certified 

source at the same time, and will be able to visually ascertain when information 

from the non-certified source is being displayed and if application spoofing is 

occurring. 

[0012] In another aspect of the present invention, a visual indicator is 
displayed on the display area of the avionics display whenever information from a 
non-certified source is being displayed. The displaying of the information from 
the non-certified source is prevented from blocking the visual indicator so that the 
visual indicator is always visible on the display area when the information is 
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being displayed. The flight crew will then have a visual indication of when the 

avionics display is displaying information from a non-certified source and is 

subject to malicious interference by a remote party and potential application 

spoofing. 

[0013] In a different aspect of the present invention, application 
spoofing during critical periods of operation of an aircraft is avoided by preventing 
the displaying of information from a non-certified source on the avionics display 
during critical periods of operation. The method is accomplished by establishing 
rules that dictate when the avionics display can display information from a non- 
certified source. The avionics display is then prevented from displaying the 
information when the rules dictate that the avionics display should not display the 
information so that application spoofing can not occur. The rules can be 
established to correspond to applicable government regulations that govern the 
operation of an aircraft employing mixed use avionics displays. Additionally, the 
rules can go beyond the requirements of the government regulations and also 
dictate that the avionics display be prevented from displaying information from a 
non-certified source during any desired period of operation of the aircraft. 

[0014] Further areas of applicability of the present invention will 
become apparent from the detailed description provided hereinafter. It should be 
understood that the detailed description and specific examples, while indicating 
the preferred embodiment of the invention, are intended for purposes of 
illustration only and are not intended to limit the scope of the invention. 
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BRIEF DESCRIPTION OF THE DRAWINGS 

[0015] The present invention will become more fully understood from 

the detailed description and the accompanying drawings, wherein: 

[0016] Figure 1 is a simplified block diagram drawing illustrating the 

components of the avionics display and its communication with a non-certified 

source of information; 

[0017] Figure 2 is a simplified diagram showing the communication 

between an aircraft and a non-certified source of information that is external to 

the aircraft; 

[0018] Figures 3A-C are drawings of the visual display unit of figure 1 
showing various methods of partitioning the display area; 

[0019] Figure 4 is a drawing of the visual display unit of figure 1 
showing the simultaneous displaying of a certified display and of information from 
a non-certified source; 

[0020] Figures 5A-B are drawings of the visual display unit of figure 1 
showing the use of a visual indicator on the display to indicate the displaying of 
information from a non-certified source; and 

[0021] Figure 6 shows the use of rules to control when information from 
a non-certified source can be displayed on the avionics display of figure 1. 

DETAILED DESCRIPTION OF THE PREFERRED EMBODIMENTS 
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[0022] The following description of the preferred embodiment(s) is 
merely exemplary in nature and is in no way intended to limit the invention, its 
application, or uses. 

[0023] Referring to figure 1, there is shown a simplified diagram of a 
typical avionics display 20 used in an aircraft 22. The avionics display 20 
comprises a microprocessor 24 that provides information to a visual display unit 
26. The visual display unit 26 has a display area 28 that is capable of displaying 
information received from the microprocessor 24. 

[0024] In a certified flight deck display the avionics display 20 is 
dedicated to only displaying a certified display. These certified flight deck 
displays only receive information from certified sources on the aircraft 22 and not 
from a non-certified source 30. Because the certified flight deck display only 
receives information from the certified sources on the aircraft, there is no 
possibility of malicious interference with the certified flight deck display by a 
remote party. The avionics display 20 in figure 1 is a mixed use avionics display 
in that it is capable of displaying a certified display and of displaying information 
from a non-certified source 30. The avionics display 20 communicates with the 
non-certified source 30 via a data connection 31 . The data connection 31 allows 
two way communication between the avionics display 20 and the non-certified 
source 30 so that a member of the flight crew can request and retrieve desired 
information from the non-certified source 30. The data connection 31 between 
the avionics display 20 and the non-certified source 30 can be by any means 
known to those skilled in the art. 
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[0025] The non-certified source 30 is preferably used to run the AMS 
applications and to provide these applications to the flight deck via the avionics 
display 20. The non-certified source 30 can be any source of information that is 
not a certified source of information. For example, the non-certified source 30 
could be a portable computer carried on board the aircraft 22 and connected to 
the avionics display 20 by the data connection 31 . The non-certified source 30 
could also be an airline-controlled server which is installed on the aircraft 22. 
Additionally, the non-certified source 30 could also be located external to the 
aircraft 22. For example, the non-certified source 30 could be a server which 
runs the AMS software and is located in a ground based structure. In this case, 
the data connection 31 connects the avionics display 20 to the non-certified 
source 30 via wireless communication, as is known in the art. The non-certified 
source 30 is not certified as part of the aircraft's 22 type design. These non- 
certified sources may at times be connected to other sources that are open to 
remote parties. Because the non-certified source 30 may be exposed to an open 
connection, there is a potential for malicious interference with the information 
being sent from the non-certified source 30 to the avionics display 20. Thus, the 
non-certified source 30 can be exposed to malicious interference by a remote 
party which may not be detected by a member of the flight crew. The present 
invention allows a flight crew member to detect when the visual display unit 26 is 
displaying on the display area 28 information from the non-certified source 30. 
The flight crew member then knows that the information being provided should 
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not emulate or spoof the certified display for which the avionics display 20 is 

certified. 

[0026] In one aspect of the invention, as shown in figure 1, the 
displaying of the information from the non-certified source 30 on the display area 
28 does not occupy the entire display area 28 so that the information from the 
non-certified source 30 is only displayed on a first portion 32 of the display area 
28. More preferably, as shown in figures 3A-C, the display area 28 is partitioned 
so that a second portion 34 of the display area cannot display the information 
from the non-certified source 30. The partitioning of the display area 28 into first 
and second portions 32, 34 can be accomplished in a number of different ways. 
Preferably, the partitioning of the display area 28 is accomplished by providing 
the non-certified source 30 with a false indication of the size of the display area 
28 so that the non-certified source 30 is not capable of addressing the entire 
display area 28. As shown in figure 3A, providing the non-certified source 30 
with a false indication of the size of the display area 28 can be accomplished by 
providing the non-certified source 30 with a false 0,0 corner display address 36 
so that the non-certified source 30 is not capable of addressing the entire display 
area 28. Another way of partitioning, as shown in figure 3C, is by providing the 
non-certified source 30 with a false horizontal display size 38 so that the non- 
certified source 30 is not capable of addressing the entire display area 28. Still 
another way of partitioning, as shown in figure 3B, is by providing the non- 
certified source 30 with a false vertical display size 40 so that the non-certified 
source 30 is not capable of addressing the entire display area 28. While the 
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method of partitioning the display area 28 by providing the non-certified source 
30 with a false indication of the size of the display area 28 has been described as 
being accomplished by providing a false 0,0 corner display address 36, a false 
horizontal display size 38, and a false vertical display size 40, it should be 
understood that these methods are not mutually exclusive and can be combined 
in various combinations without departing from the scope of the invention. It 
should also be pointed out that the methods described are equally applicable to 
providing a false indication of the size of the display area 28 when other than 
Cartesian coordinates are used to address the display area 28, such as when 
polar coordinates are used. 

[0027] An alternative way to partition the display area 28 so that the 
non-certified source 30 can not be displayed on the entire display area 28 is by 
use of the microprocessor 24. In this aspect of the invention, the non-certified 
source 30 can be provided with a correct indication of the size of the display area 
28 but the microprocessor 24 limits the size of the first portion 32 for displaying 
information from the non-certified source 30 to less than the size of the entire 
display area 28 so that the second portion 34 of the display area can not be used 
to display information from the non-certified source 30. Regardless of which 
method is employed, the result is that only the first portion 32 of the display area 
28 displays information from the non-certified source 30 while the second portion 
34 of the display area 28 does not display information from the non-certified 
source 30 and thereby provides for a visual indication of when the avionics 
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display 20 is displaying information from the non-certified source 30 and 

susceptible to application spoofing. 

[0028] In another aspect of the invention, as shown in figure 4, the 
avionics display 20 has a certified display 42 displayed on the entire display area 
28 at all times. The certified display 42 is maintained on the display area 28 
while the information from the non-certified source 30 is simultaneously displayed 
on the first portion 32 of the display area 28. In this aspect of the invention, the 
information from the non-certified source 30 is displayed in front of or 
superimposed on the certified display 42 so that the information from the non- 
certified source 30 is visible on the avionics display 20 and at least a portion 43 
of the certified display 42 is also visible on the avionics display 20. In this 
manner, a member of the flight crew, when visually perceiving the avionics 
display 20, will always see the portion 43 of the certified display 42 along with the 
information from the non-certified source 30 being displayed in front of or 
superimposed on the certified display 42 and know that the avionics display 20 is 
susceptible to application spoofing. 

[0029] In yet another aspect of the invention, as can be seen in figures 
5A-B, a visual indicator 44 is displayed on the display area 28 whenever 
information from the non-certified source 30 is being displayed on the avionics 
display 20. The visual indicator 44 is displayed on the display area 28 in a 
manner that does not allow the displaying of information from the non-certified 
source 30 to block the visual indicator 44 so that visual indicator 44 is always 
visible on the display area 28 when the information from the non-certified source 
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30 is being displayed. The visual indicator 44 can be displayed on the display 

area 28 outside of the first portion 32 of the display area 28 that is displaying the 

information from the non-certified source 30. Alternatively, the visual indicator 44 

can be displayed on the first portion 32 of the display area 28 that is displaying 

the information from the non-certified source 30. When the visual indicator 44 is 

displayed on the first portion 32 of the display area 28 that displays the 

information from the non-certified source 30, the visual indicator 44 is in front of 

or superimposed on the information so that the visual indicator 44 is always 

visible on the display area 28 whenever the information from a non-certified 

source 30 is being displayed on the avionics display 20. While the visual 

indicator 44 is shown as being an asterik, it should be understood that the visual 

indicator 44 does not need to be in the form of an asterik. For example, the 

visual indicator 44 can be another shape or even a band along the display or a 

frame that surrounds the display. 

[0030] While the visual indicator 44 has been described as being 

displayed on the avionics display 20 in the display area 28, it is also possible to 

have the visual indicator 44 appear on the avionics display 20 but not in the 

display area 28. For example, the visual indicator 44 could be a light or some 

other indicator on the avionics display which would light up, glow, or, in some 

other fashion, indicate when the information being displayed on the avionics 

display 20 is from a non-certified source 30. However, having the visual indicator 

44 not appear on the display area 28 presents a potential problem in that the 

visual indicator 44 could malfunction while the visual display unit 26 continues to 
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function properly and a member of the flight crew could believe that the 

information being displayed on the display area 28 is a certified display when in 

reality the avionics display 20 is displaying information from a non-certified 

source 30 and could be susceptible to application spoofing. By having the visual 

indicator 44 appear on the display area 28 the visual indicator 44 will function 

when the visual display unit. 26 is functioning and inform the flight crew when 

information is being displayed from the non-certified source 30. In this manner, 

the problem associated with a visual indicator that operates independently of the 

visual display unit 26 is avoided. 

[0031] Another method of preventing application spoofing in a mixed 
use avionics display 20 is accomplished by establishing rules that dictate when 
the avionics display 20 can display information from the non-certified source 30 
and when it can not. The avionics display 20 is then prevented from displaying 
information from the non-certified source 30 when the rules dictate that the 
avionics display 20 should not be displaying information from a non-certified 
source 30, such as when the aircraft 22 is in critical stages of operation. 

[0032] Preferably, the rules are established based upon applicable 
government regulations that govern the operation of the aircraft 22. These rules 
can vary for each type of aircraft 22. The rules can also be modified as various 
government regulations change. Additionally, the rules can also be established 
based upon the particular safety protocols the owner of the aircraft 22 desires to 
implement in the operation of the aircraft 22. The rules would then dictate when 
a member of the flight crew would have access to viewing information from the 
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non-certified source 30 on the avionics display 20. Because the applicable 
government regulations would require the avionics display 20 to display the 
certified display 42 on the visual display unit 26 during critical periods of 
operation of the aircraft 22, any malicious interference by a remote party would 
not occur during these critical periods of operation and application spoofing 
would not be a concern for the safe operation of the aircraft 22. 

[0033] Referring now to figure 5, when a request is made by a member 
of the flight crew to view information from the non-certified source 30, the 
microprocessor 24 checks the rules to see if the rules allow for the displaying of 
information from the non-certified source 30 on the avionics display 20 during 
that stage of operation of the aircraft 22. If the rules indicate that information 
from the non-certified source 30 can be displayed on the avionics display 20, the 
microprocessor 24 allows the requested information from the non-certified source 
30 to be displayed on the avionics display 20. Because the operational condition 
of the aircraft 22 is dynamic, when the avionics display 20 is displaying 
information from the non-certified source 30, the microprocessor 24 continues to 
monitor the operation of the aircraft 22 and compare the current status of the 
operation of aircraft 22 to the rules to ensure that it is still acceptable to display 
information from the non-certified source 30 on the avionics display 20. 
Microprocessor 24 can be programmed to intermittently and/or continuously 
monitor the operational condition of the aircraft 22 to perform this function. For 
example, the microprocessor 24 can be programmed to compare the operation of 
the aircraft 22 to the rules every 30 seconds, 60 seconds, 120 seconds, or what 
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ever time interval is deemed appropriate to ensure the safe operation of the 
aircraft 22 and to prevent malicious interference by a remote party during critical 
stages of operation of the aircraft 22. Alternatively, the microprocessor 24 could 
be programmed to continuously monitor the operational status of the aircraft 22 
and compare the operational status to the rules so that when the operational 
status of aircraft 22 changes to a condition wherein the avionics display 20 
should not be displaying information from the non-certified source 30, the 
microprocessor 24 immediately prevents the displaying of information from the 
non-certified source 30. 

[0034] When the rules indicate that information from the non-certified 
source 30 is not allowed to be displayed on the avionics display 20, the 
microprocessor 24 causes the avionics display 20 to display the certified display 
42 for which it is certified and prevents the displaying of information from the non- 
certified source 30. Optionally, the microprocessor 24 could also be 
programmed to terminate the data connection 31 which is providing the 
information from the non-certified source 30 to the avionics display 20. The 
termination of the data connection 31 eliminates the possibility of malicious 
interference by a remote party with the avionics display 20. While the use of 
rules to dictate when information from the non-certified source 30 can be 
displayed on the avionics display 20 has been described with reference to the 
steps shown in figure 6, it should be understood that figure 6 is an example and 
there are other ways to use the rules to control when information from a non- 
certified source 30 is allowed to be displayed on the avionics display 20. 
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[0035] While the invention has been described in reference to allowing 

the displaying of AMS applications on the avionics display 20, it should be 

understood that the method is equally applicable to allowing the displaying of 

other applications from a non-certified source on the avionics display 20, such as 

from the internet. 

[0036] The description of the invention is merely exemplary in nature 
and, thus, variations that do not depart from the gist of the invention are intended 
to be within the scope of the invention. Such variations are not to be regarded as 
a departure from the spirit and scope of the invention. 
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